[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4E8655CD.90107@zytor.com>
Date: Fri, 30 Sep 2011 16:50:37 -0700
From: "H. Peter Anvin" <hpa@...or.com>
To: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: kernel.org status: establishing a PGP web of trust
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
Since the kernel.org status announcement last week a number of you
have contacted me about re-establishing credentials. In order to
establish a proper PGP web of trust we need keys that are cross-signed
by other developers. As such, we ask that you follow the following
steps:
1. Make sure your systems are uncompromised. We will address specific
recommended steps for that in a separate email.
2. Create a new PGP/GPG key, and also generate a key revocation
certificate (but don't import it anywhere -- save it for the
future) for your new key. In the near future we are considering
setting up an escrow service for key revocation certificates.
I recommend using a 4096-bit RSA key. Given how fast computers are
these days, there is no reason to use a shorter key. DSA keys
should be considered obsolete; substantial weaknesses have been
found in DSA.
$ gpg --gen-key
$ gpg -u <key ID> -o <key ID>.revoke --gen-revoke
3. If you are reasonably certain that your old key has never been
jeopardized, sign the new key with the old key.
$ gpg -u <your old key ID> --sign-key <your new key ID>
If you are *not* sure about your old keys, please revoke them if
you haven't already done so (create a revocation certificate and
import it into your keyring, then push the key to the key servers.)
$ gpg -u <your old key ID> -o <your old key ID>.revoke --gen-revoke
$ gpg --import <your old key ID>.revoke
$ gpg --keyserver pgp.mit.edu --send-key <your old key ID>
4. Upload the signed keys to the keyserver system (I usually use
pgp.mit.edu, but most of the keyservers sync with each other with
roughly a 24-hour delay.) By publishing the keys we make them
available not only to kernel.org but for other uses, like signing
email, and you can verify yourself by looking at http://pgp.mit.edu/
if there is someone out there who has published a key with your name
on it. Furthermore, it allows us to tap other webs of trust already
established.
$ gpg --keyserver pgp.mit.edu --send-key <your key ID>
5. Get as many other kernel developers that you have physical access to
to sign your key after verifying the fingerprint. Verifying keys
over the phone is OK if and only if you know them *extremely* well;
think "would I be willing to testify in court that the person I
talked to was X"?
If you work in an office with multiple other Linux developers, it
would be a very good thing to organize a local key signing. We will
do a key signing at Kernel Summit for the core kernel developers.
A web site with recommendations for running a key signing:
http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
$ gpg --fingerprint <key ID>
$ gpg --keyserver pgp.mit.edu --recv-key <their key ID>
$ gpg -u <your key ID> --sign-key <their key ID>
$ gpg --keyserver pgp.mit.edu --send-key <their key ID>
$ gpg --keyserver pgp.mit.edu --recv-key <your key ID>
6. Please send me the key identifier and fingerprint to
<keys@...or.com>. This is a temporary address until the kernel.org
MX is ready to put back online; eventually we will probably have a
web form interface for this.
-hpa
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJOhlXFAAoJEL2gYIVJO6zkc7MP/2Qb6iOGCMEd3ncV8N9Znqsf
nPYnjS7Eo8EafbC5A/Pe5UaqzVw3UrWAewTENUaNndXuTDRYhvt2SeQEbASpCTfG
Wr0WPzcrrnIOhJDk9WyLUIE+wR52Alq/EYmiRBDBNJmNqwo7SgXVpyDqMvLeH9IH
LCey68XfQ2WrD25p3a3zmi5woGuluQsUVYNJCB0yC1RpESJDO6GNx+tUWWR6kRk1
GmaUs0qrx9nHrycQZIq1pga3v/uxSvxr7pYAvLMLvl0pCFE+GbQ+wCMqpddOTA0/
0d5QVRqL1neCMGYUm+9Ff3AzzyaqTKHPOm6grnUp+M73+3FJIMzr3BOEIJnusJA5
vDPjHl8j3+LJXeTNNp3V/pmM89uc9vWjdyRoMyeufN2simC07csxh8E8s35hz3gj
z6tdch9ygHJt1rS3XuJva9p5kNm0ptMtbF1wWzJCci8Lo7iiMoj0GECyeIzvEbic
qG6sUfgIORGe3OH8MPCdmn2BY1y0Rz6rD05s1nZOBxOoYihrtDrnNC5MJl4+lvTW
7fzTFVzbjQO7Ybu/PqLeAJ4ieTFflbp4j7dI9dTKxHfTKQ+NT1YgiRpS7gcZeDhS
YmVKMmN5QpxFqMYhr9gc2S/6iYwRTP1juWMf0bxP9xiY/SaBhW8XrpyxE85svc+o
9j39P8QGHPb35HQ2HPgn
=PdWd
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists